Work getting hacked?

[anything I don't mind]

Anyone else work find that their work is constantly under attack from phishing and even targeted attacks? I work for law firms and it is constant. I think the problem is far worse than anyone is letting on and all these companies getting hacked they don't advertise that because they lose business. So its all kept secret.

To be honest it is getting ridiculous. We have several layers of protection and they still manage to get through and these days it seems when they get through they realy do a number and root the whole network. It is a nightmare, I realy don't think IT is paid enough for that. It just seems to me like they are losing the battle. We even had a phone call of some guy trying to social engineer remote access.

We have obvious firewall, open dns filtering, sophos web protection and end point, mimecast email security and url filtering. All the clients are locked down. But yet we still have trojans getting through, from the web or email. Webmail is a big attack vector as well.

 

[anything I don't mind]

Meh, come back when your users manage to Cryptolocker their servers. Boomin thing sucks!

This is exactly the sort of thing I am talking about. I just inherited a site that was hit with cryptolocker. It was removed and restored from backup ok but I still think they are in the network. I am probably paranoid but I can't see them just getting removed by a virus scan these days.

Then I had to deal with an attack few months ago where another company that the company i work for does seminars with was hacked. They apparently sent out a mass mailer using their mailer system with a macro malware word doc to all the client list. It was very well crafted email and got through on all the whitelists. Now we block macro but still a big attack. I bet they got about 1000 botnet from that. It managed to infected our network and the finance director even forwarded the email to the whole firm with the attachment warning them not to open it. crazy.

 

[anything I don't mind]

And that's the thing with APT type attacks, it's very hard to know what's actually been going on unless you've got the tools in place to detect and investigate.

Have you got any sort of SIEM solution on the network to see what's going on from a behaviour point of view?

Even something simple as monitoring outbound traffic, see where stuff is going or potentially calling home.

As has been said, education is one of the most effective tools in the box, but we all know it can be frustratingly hard to get people to listen and think!



That's one of the problems if you're just using signature based technology, you have to have seen the attack variant before you can start to protect against it. Which is no good the first time it hits

We have a managed firewall which makes monitoring traffic even more difficult. I could request that the managed firewall people monitor traffic and look for any international connections or connections out of hours.

I know what you mean though, that is realy the only way to see if there is still an underlying infection that is keeping quiet and slowly getting root on the network.

The site that that was hit by cryptolocker has a major problem with one DC it almost looks like someone has been attacking it from internal. The svchost was running at 100% cpu usage as a result of windows update. The DC was completely unpatched and it would probably be the first thing that an attacker would go for, the dc. Also noticed corrupted group policy but only on the one dc. I moved the roles and will demote the dc next week.

App locker?

Not sure what you mean by app locker?